Subsidiaries of Indonesian low-cost airline Lion Air, including Malindo Air and Thai Lion Air, have suffered a massive data breach, resulting in the information of millions of passengers being leaked onto data exchange forums. The breached data includes:
- full names
- home addresses
- email addresses
- dates of birth
- phone numbers
- passport numbers and expiration dates
The files of passengers who flew with Thai Lion Air and Malindo Air, were stored in an open Amazon Web Services bucket, where a hacker gained access and dumped the files online.
It’s likely that hundreds of thousands of companies have the same cybersecurity issue as Lion Air. Lion Air is just the latest one making the news. One of the biggest weaknesses at nearly every company and in every network is that of overly permissive permissions. It’s always been a problem, but before the cloud, only already-trusted insiders could take advantage of the security misconfigurations and only a minuscule percentage of employees were motivated to go looking. And if they found and exploited something, the damage was contained and news of the “break-in” often didn’t require public disclosure. But in today’s public cloud-centric world, those same bad habits, of incorrect, overly permissive access control permissions, are being laid bare by attackers who can freely explore all of the world’s best cloud services and exploit found weak permissions…nearly all of which won’t cause a single security event in the exploited company’s event logs. The problem is much bigger than anyone is talking about.
While Malindo Air is still investigating this incident, it is clear that proper security measures were not in place to safeguard the data contained in that AWS bucket. Information that was left exposed on a public cloud storage resource include passport details, phone numbers and addresses. The mistake or overlooked security measure that led to this breach was most likely a very simple one, as is the case with most of the data breaches we read about in the news week after week. Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs. To protect customer data, organizations should employ continuous security validation tools to identify and prioritize gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.
At approximately 4.6 billion, 2019 may set a record in the number of scheduled passengers handled by the global airline industry. With all those customers, airline companies are responsible for protecting a staggering amount of data—making this industry a hot target for threat actors to unleash malicious attacks.
Airlines often store highly personal information of passengers, like passports and other travel documents, and the data that was breached could be easily sold on dark web marketplaces and used to commit fraud. Airline companies are now looking into using biometrics and facial recognition to expedite boarding processes, which is concerning given the recent airline breaches in these past years. Knowing this, it is critical that airlines and other organizations that regularly handle sensitive consumer data understand the serious risk associated with a breach of that information, including data leaks due to misconfigurations. It\’s now easier than ever to utilize security strategies and tools that prescribe real-time, contextual and ongoing security, detecting abnormal behavior and prompting further action to validate identity. Organizations that use these strategies and tools are in a better position to prevent unauthorized access by malicious actors from seizing sensitive consumer data and PII.